All national campaigns are believed to take advice from GCHQ on protecting their networks.
Photograph: Getty/Hero Images

A British political party will be the victim of a hack similar to those suffered by the Clinton and Macron presidential campaigns, a leading security researcher has warned.

James Norton, a former official at the US Department of Homeland Security and head of the security consultancy Play-Action Strategies, said: “It wouldn’t surprise me if there’s already been some emails stolen … it would surprise me if it didn’t happen.”

It was a matter of when, not if, a hack would take place, he said. “Campaigns are a treasure trove, especially newer campaigns where you’re trying to understand the dynamics … I would think they would be targets, if they’re not already, in terms of trying to understand what their politics would be. Even Theresa May is largely an unknown.”

The EU’s head of information security has previously advised that the risk of hacking attacks greatly increases following the dissolution of parliament. Dr Udo Helmbrecht cautioned candidates that any one of the thousands of political campaigns active over the election period could serve as a bulkhead from which to penetrate deeper into party machinery.

“If you look from a politician’s perspective or from a party’s perspective, you have different areas of concern,” Helmbrecht told the Guardian. “In Germany, the Bundestag was hacked. This was not a weakness in the classic infrastructure – it was naive treatment by parliamentarians.”

Dick O’Brien, a threat researcher at the security company Symantec, agreed that a hack like that on Macron “may well happen again”. Even a snap election left plenty of time for an interested party to take action, he added.

“The nature of elections means that politicians are ripe for attack. Governments are well secured, political parties not so much. And then a campaign expands from a core party into a much more ad hoc organisations. That’s where you see people using resources, cloud services, with email, that they really wouldn’t use in a more permanent organisation. That really opens up the surface for an attack.”

Unlike a French or US presidential campaign, British elections are much more fragmented, with more local power and smaller national oversight. From a security standpoint, that fragmentation can be a blessing and a curse: it offers compartmentalisation, ensuring that low-level breaches do not leak data for the entire campaign, but also leads to a marked increase in the number of potential targets for an external attacker.

None of the national campaigns would comment on security matters, but all are believed to take advice from GCHQ on protecting their networks. Sitting MPs are helped by the Parliamentary Digital Service until parliament dissolves. But for parliamentary candidates who weren’t MPs before the election was called, the amount of support differs wildly.

Elaine Bagshawe, the Liberal Democrat candidate for east London’s Poplar and Limehouse, said: “It’s only recently when ‘information security’ started being a term. It was normally ‘data protection’, or just talking about the specific types of attack we should expect.”

Bagshawe, who worked for the Financial Conduct Authority before running for office, said her professional life had trained her a lot “about the risks of phishing, hacking and identity theft.” The national party’s training, however, was limited to “a lot of webinars,” she said. “I think information security is going to be one.”

Hillary Clinton’s campaign was penetrated through a a phishing attack. Photograph: Julio Cortez/AP

Many candidates have previously been local councillors, another role that comes with a certain amount of training about data protection and information security matters. Emma Coad, Labour’s Kensington candidate, said: “If you interface with any sort of data, you go through a load of training. Then, once you become a candidate, you’re given a load of documentation.”

Coad said Labour, like the Lib Dems, offered information security webinars for candidates, “if you want to get hold of them”.

Such advice may be helpful, but Play-Action’s Norton argued that regular, deliberate training was needed to prevent a costly and damaging hack. Both the Clinton and Macron campaigns, for instance, were penetrated through phishing attacks: the hackers created fake Google login pages in an attempt to harvest data.

How to protect yourself from phishing

Read more

Technology could help as well as training, Norton said. “It goes back to the investments. Do you even know that folks are on your network? A lot of times people don’t know till months after the fact.”

But there, too, local campaigns seem to be falling down: Coad said the Labour party had never spoken to her campaign about two-factor authentication, one of the ways to limit the damage a phishing attack can inflict, despite the fact that her official campaign address is that of a webmail service that offers it.

Ryan Kalember, head of cybersecurity strategy at Proofpoint, backed Norton’s warning. “Campaigns in elections around the world must ensure that they have implemented proper defences around phishing, including email security and multi-factor authentication, ideally via hardware keys,” he said.

“Our research has shown [that] attackers are relentlessly working to exploit the email communication channel regardless of their level of sophistication, motivation, or country. Email is their top target because it provides the easiest opening into an organisation, one of the easiest routes for exporting confidential information and for political purposes, email content itself offers an inside look at strategies, motivations and personalities.”

The fragmentation of constituency campaigns does offer security benefits as well, however. Campaigns’ access to data is limited to that relevant to their local area. Bagshawe, the Lib Dem candidate, said: “There are very few shared systems and they don’t talk to each other: I can’t see any data for the neighbouring constituencies in Hackney, for instance.”

Similarly, the vast array of different services used by various campaigns makes it harder to use a one-size-fits-all attack. A fake Gmail login page, for instance, will be less able to trick a campaign run from a Hotmail email address.